vicidial.org

I was wondering what the best practice was when using remote agents connected from their homes via SIP when the remote agent is using a residential internet connection with a dynamic IP. Normally with a static IP I would simply allow the necessary ports from the IP in the SuSE custom firewall section and be done with it. I have used fail2ban in the past and it has worked well although I seem to remember it not wanting to come up after a reboot in certain cases but I don't recall the specifics.

I was thinking about coding up a simple little web form that grabs the source IP from and agent and whitelists it after a password and/or security question has been answered and while that might be fun to do I don't really have the time right now

- ViciBox 3.1.10
- VERSION: 2.4-326c BUILD: 110506-1612
- Asterisk 1.4.39.2-vici
- Intel(R) Core(TM)2 Quad CPU Q9505 @ 2.83GHz with 8GB RAM
- IAX and SIP used (no TDM capabilities)

1) Keep all existing setup on "whitelist only"

2) Create a new web page that runs only on port 81

3) Be sure the web page is NOT "index" so it must be addressed directly (no guessing, make it an impossible to guess page name like "akjsajg816j1283ja.php"). Consider rotating it regularly and sending the dynamic agents a link every morning before work if you're really security conscious.

4) That new web page has one purpose: Check user/pass against vicidial_users table (borrow the code from any vicidial page!) and if the user authenticates, add their IP address to the iptables "good" file managed by the "Recent" module in iptables.
This module allows the creation of a file that can be checked against within the iptables system.

5) If an entry is present or absent, special action can be taken. In this case, the action would be ACCEPT, thus after logging in to this page the agent is now "whitelisted" until reboot when that file is cleaned out.

We charge $100 to install this in a standard Vicibox installation, as we've already invested the time to create it. And you're right, it was fun to make. I'd like to make it part of Vicibox. Maybe I'll suggest that to Kumba

Sweet! Thanks for the detailed response William.